Security vulnerability with `/*` wildcard #282

vlad-pisanov · 2024-09-26T07:07:11Z

Say I grant access to /data/*:

allow do
  origins '*'
  resource '/data/*'
end

In actuality, this also grants access to /data_private, /database/foo/bar, and essentially any resource whose path starts with /data. ⚠️

This is because the constructed regex makes the slash optional, and effectively behaves like *:

rx = compile('/data/*')    # /^\/data\/?(.*?)$/
rx === '/data'             # true
rx === '/database'         # true
rx === '/database/foo/bar' # true

The text was updated successfully, but these errors were encountered:

luke-zhou · 2024-10-07T02:30:41Z

I can create a PR, if no one creates

…abase This should resolve cyu#282.

fsanggang added a commit to fsanggang/rack-cors that referenced this issue Nov 27, 2024

Adjust resource wildcard matching e.g. /data/* no longer matches /dat…

17ca0dd

…abase This should resolve cyu#282.

fsanggang added a commit to fsanggang/rack-cors that referenced this issue Nov 27, 2024

Adjust resource wildcard matching e.g. /data/* no longer matches /dat…

336adc4

…abase This should resolve cyu#282.

fsanggang added a commit to fsanggang/rack-cors that referenced this issue Nov 27, 2024

Adjust resource wildcard matching e.g. /data/* no longer matches /dat…

72c0d7f

…abase This should resolve cyu#282.

fsanggang linked a pull request Nov 27, 2024 that will close this issue

Adjust resource wildcard matching #284

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security vulnerability with `/*` wildcard #282

Security vulnerability with `/*` wildcard #282

vlad-pisanov commented Sep 26, 2024

luke-zhou commented Oct 7, 2024

Security vulnerability with /* wildcard #282

Security vulnerability with /* wildcard #282

Comments

vlad-pisanov commented Sep 26, 2024

luke-zhou commented Oct 7, 2024

Security vulnerability with `/*` wildcard #282

Security vulnerability with `/*` wildcard #282